W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: New Progress Events draft

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 20 Oct 2008 17:48:07 +0200
Message-ID: <48FCA837.7050001@sicking.cc>
To: Charles McCathieNevile <chaals@opera.com>
CC: WebApps WG <public-webapps@w3.org>

Charles McCathieNevile wrote:
> 
> Hi folks,
> 
> at 
> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.24 
> you will find a new draft of the progress events spec, for your 
> delectation...

So the spec says that for HEAD requests the size should include the size 
of headers. I just realized that this might be a security issue.

The headers can include the users password, many times in clear text. If 
a site knows the size of the default headers for a given implementation, 
it can figure out the size of the users password by subtracting the 
default size from the size reported from the 'load' event from a HEAD 
request.

/ Jonas
Received on Monday, 20 October 2008 15:50:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT